Newest Rawhide updates (including udev-030-10, mkinitrd-4.1.8-1, kernel-2.6.8-1.532, and selinux-policy-strict-1.17.5-2) now boots in strict/enforcing.
Many AVCs, and there is a problem with runlevel 5 (graphical login, etc.) preventing login, (but text login works).
Here are the first, early AVCs: (I'll dig for more later.)
Aug 28 10:23:40 fedora kernel: usbcore: registered new driver usblp
Aug 28 10:23:40 fedora kernel: drivers/usb/class/usblp.c: v0.13: USB Printer Device Class driver
Aug 28 10:23:40 fedora acpid: acpid startup succeeded
Aug 28 10:23:40 fedora kernel: ACPI: Power Button (FF) [PWRF]
Aug 28 10:23:40 fedora kernel: ACPI: Sleep Button (CM) [FUTS]
Aug 28 10:23:40 fedora kernel: EXT3 FS on hda2, internal journal
Aug 28 10:23:41 fedora kernel: audit(1093713783.757:0): avc: denied { search } for pid=1264 exe=/sbin/udev name=contexts dev=hda2 ino=4509745 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:default_context_t tclass=dir
Aug 28 10:23:41 fedora kernel: audit(1093713783.790:0): avc: denied { execute_no_trans } for pid=1271 exe=/sbin/udev path=/etc/udev/scripts/pam_console.dev dev=hda2 ino=574019 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:etc_t tclass=file
Aug 28 10:23:41 fedora kernel: audit(1093713783.790:0): avc: denied { write }
for pid=1264 exe=/sbin/udev name=fscreate dev=proc ino=82837526 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=file
There repeat many times. When run in permissive mode, this sequence becomes:
Aug 28 10:32:25 fedora kernel: EXT3 FS on hda2, internal journal
Aug 28 10:32:25 fedora kernel: audit(1093714297.852:0): avc: denied { search } for pid=1283 exe=/sbin/udev name=contexts dev=hda2 ino=4509745 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:default_context_t tclass=dir
Aug 28 10:32:25 fedora kernel: audit(1093714297.859:0): avc: denied { search } for pid=1283 exe=/sbin/udev name=files dev=hda2 ino=4509746 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_context_t tclass=dir
Aug 28 10:32:25 fedora kernel: audit(1093714297.872:0): avc: denied { read } for pid=1283 exe=/sbin/udev name=file_contexts dev=hda2 ino=4505700 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_context_t tclass=file
Aug 28 10:32:25 fedora kernel: audit(1093714297.872:0): avc: denied { getattr
} for pid=1283 exe=/sbin/udev path=/etc/selinux/strict/contexts/files/file_contexts dev=hda2 ino=4505700 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_context_t tclass=file
Aug 28 10:32:25 fedora kernel: audit(1093714298.077:0): avc: denied { execute_no_trans } for pid=1285 exe=/sbin/udev path=/etc/udev/scripts/pam_console.dev dev=hda2 ino=574019 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:etc_t tclass=file
Aug 28 10:32:25 fedora kernel: audit(1093714298.109:0): avc: denied { search } for pid=1285 exe=/bin/bash name=console dev=hda2 ino=4456494 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:pam_var_console_t tclass=dir
Aug 28 10:32:25 fedora kernel: audit(1093714298.113:0): avc: denied { write }
for pid=1283 exe=/sbin/udev name=fscreate dev=proc ino=84082710 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=file
Aug 28 10:32:25 fedora kernel: audit(1093714298.113:0): avc: denied { setfscreate } for pid=1283 exe=/sbin/udev scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=process
Aug 28 10:32:25 fedora kernel: audit(1093714317.126:0): avc: denied { search } for pid=1671 exe=/sbin/udev name=files dev=hda2 ino=4509746 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_context_t tclass=dir
Audit2allow on this says:
allow : { write };
allow udev_t default_context_t:dir { search };
allow udev_t etc_t:file { execute_no_trans };
allow udev_t file_context_t:dir { search };
allow udev_t file_context_t:file { read };
allow udev_t pam_var_console_t:dir { search };
allow udev_t udev_t:process { setfscreate };The funny 'allow : { write };' is for the write of 'fscreate' in /proc.After obtaining the graphical login screen, here is the offending AVC:
Aug 28 10:24:42 fedora gdm(pam_unix)[3888]: session opened for user tbl by (uid=0)
Aug 28 10:24:43 fedora kernel: audit(1093713883.626:0): avc: denied { create } for pid=4042 exe=/usr/bin/dbus-daemon-1 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=netlink_selinux_socket
An error window pops up reporting an SELinux/AVC type failure. It then returns to the login screen.
Just prior to that, there are many 'denied's from udev and hald. Here are a few:
Aug 28 10:24:21 fedora dbus: avc: denied { send_msg } for scontext=system_u:system_r:hald_t tcontext=system_u:system_r:updfstab_t tclass=dbus
Aug 28 10:24:21 fedora kernel: audit(1093713853.755:0): avc: denied { execute
} for pid=3466 exe=/usr/sbin/hald name=hal-hotplug-map dev=hda2 ino=606213 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:bin_t tclass=file
Aug 28 10:24:21 fedora udev[3953]: creating device node '/dev/vcs7'
Aug 28 10:24:22 fedora dbus: avc: denied { send_msg } for scontext=system_u:system_r:hald_t tcontext=system_u:system_r:updfstab_t tclass=dbus
Aug 28 10:24:22 fedora kernel: audit(1093713853.817:0): avc: denied { search } for pid=3798 exe=/sbin/udev name=contexts dev=hda2 ino=4509745 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:default_context_t tclass=dir
Aug 28 10:24:22 fedora dbus: avc: denied { send_msg } for scontext=system_u:system_r:hald_t tcontext=system_u:system_r:updfstab_t tclass=dbus
Aug 28 10:24:22 fedora kernel: audit(1093713853.819:0): avc: denied { execute_no_trans } for pid=3846 exe=/sbin/udev path=/etc/udev/scripts/pam_console.dev dev=hda2 ino=574019 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:etc_t tclass=file
Aug 28 10:24:22 fedora dbus: avc: denied { send_msg } for scontext=system_u:system_r:updfstab_t tcontext=system_u:system_r:hald_t tclass=dbus
Aug 28 10:24:22 fedora kernel: audit(1093713853.820:0): avc: denied { write }
for pid=3798 exe=/sbin/udev name=fscreate dev=proc ino=248905750 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=file
[BTW: When I reboot, /etc/fstab has been relabeled to type tmp_t. Is the above causing this?]
I rebooted strict/permissive, and things appear OK, including loading of sound modules.
However, as noted above, something is relabeling /etc/fstab to tmp_t:
Aug 28 10:33:21 fedora gdm(pam_unix)[3786]: session opened for user tbl by (uid=0)
Aug 28 10:33:21 fedora kernel: audit(1093714401.349:0): avc: denied { read } for pid=3786 exe=/usr/bin/gdm-binary name=fstab dev=hda2 ino=4654141 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:tmp_t tclass=file
Aug 28 10:33:21 fedora kernel: audit(1093714401.350:0): avc: denied { getattr
} for pid=3786 exe=/usr/bin/gdm-binary path=/etc/fstab dev=hda2 ino=4654141 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:tmp_t tclass=file
I believe I'm running a 'stock' Rawhide system.
tom
